Sdn Security

1. A method for use in a network element in a user plane, said method comprising: receiving an instruction for checking whether messages in the user plane comply with a preconfigured rule; checking whether the messages in the user plane comply to the preconfigured rule, wherein the messages in the user plane comply to the preconfigured rule when the messages comply to one of Dynamic Host Configuration Protocol (DHCP), Remote Authentication Dial-In User Service (RADIUS), Layer 2 Tunneling Protocol (L2TP), and Point-to-Point Protocol (PPP); and if it is determined that the messages comply to the preconfigured rule, checking whether a number of specific signaling messages, according to one of DHCP, RADIUS, L2TP, and PPP, related to address allocation that are sent to a controller has reached a predetermined threshold; and if the predetermined threshold has been reached, reducing transmission of the specific signaling messages to the controller, and if the predetermined threshold has not been reached, transmitting the specific signaling messages to the controller, and if the specific threshold has been reached and the transmission has been throttled, resuming transmission of the specific signaling messages upon request from the controller.

2. The method according to claim 1 , further comprising: searching for specific signaling messages carrying the specific information; extracting specific information from the specific signaling messages; and transmitting the extracted specific information to the controller.

3. The method according to claim 2 , further comprising: transmitting the specific information via at least one of a DHCP relay, link control protocol (LCP), authentication, or internet protocol control protocol (IPCP) negotiation to at least one of RADIUS, DHCP, or L2TP mapping functionality, wherein the specific information comprises an internet protocol address or a lease time of the internet protocol address.

4. The method according to claim 1 , wherein the controller conforms to one of OpenFlow protocol or Forwarding and Control Element Separation Protocol.

5. A computer program product embodied on a non-transitory computer-readable medium, said product including a program for a processing device, comprising software code portions for performing the method of claim 1 when the program is run on the processing device.

6. A method for use in a network element, said method comprising: evaluating whether a request for address allocation fulfills a predetermined condition, wherein the predetermined condition includes that the address allocation has been requested via one of Dynamic Host Configuration Protocol (DHCP), Remote Authentication Dial-In User Service (RADIUS), Layer 2 Tunneling Protocol (L2TP), or Point-to-Point Protocol (PPP); if it is determined that the request fulfills the predetermined condition, causing another network element in a user plane to check whether messages in the user plane comply to a preconfigured rule, wherein the preconfigured rule includes that the message in the user plane is a message conforming to one of DHCP, RADIUS, L2TP, or PPP; and causing the another network element in the user plane to reduce specific signaling messages, according to one of DHCP, RADIUS, L2TP, and PPP, related to address allocation to a controller if the messages in the user plane comply with the preconfigured rule and if a predetermined threshold has been reached, and to transmit the specific signaling messages to the controller if the predetermined threshold has not been reached, and to resume transmission of the specific signaling messages upon request from the controller if the specific threshold has been reached and the transmission has been throttled.

7. An apparatus for use in a network element in a user plane, said apparatus comprising: at least one processor; and at least one memory for storing instructions to be executed by the processor, wherein the at least one memory and the instructions are configured to, with the at least one processor, cause the apparatus at least to perform receiving an instruction for checking whether messages in the user plane comply with a preconfigured rule; checking whether the messages in the user plane comply to the preconfigured rule, wherein the messages in the user plane comply with the preconfigured rule when the messages comply to one of Dynamic Host Configuration Protocol (DHCP), Remote Authentication Dial-In User Service (RADIUS), Layer 2 Tunneling Protocol (L2TP), and Point-to-Point Protocol (PPP), and if it is determined that the messages comply to the preconfigured rule, checking whether a number of specific signaling messages, according to one of DHCP, RADIUS, L2TP, and PPP, related to address allocation that are sent to a controller has reached a predetermined threshold, and if the predetermined threshold has been reached, reducing transmission of the specific signaling messages to the controller, and if the predetermined threshold has not been reached, transmitting the specific signaling messages to the controller, and if the specific threshold has been reached and the transmission has been throttled, resuming transmission of the specific signaling messages upon request from the controller.

8. The apparatus according to claim 7 , wherein the at least one memory and the instructions are further configured to, with the at least one processor, cause the apparatus at least to perform: searching for specific signaling messages carrying the specific information, extracting specific information from the specific signaling messages, and transmitting the extracted specific information to the controller.

9. The apparatus according to claim 8 , wherein the at least one memory and the instructions are further configured to, with the at least one processor, cause the apparatus at least to perform: transmitting the specific information via at least one of a DHCP relay, link control protocol (LCP), authentication, or internet protocol control protocol (IPCP) negotiation to at least one of RADIUS, DHCP, or L2TP mapping functionality, wherein the specific information is an internet protocol address or a lease time of the internet protocol address.

10. The apparatus according to claim 7 , wherein the controller conforms to one of OpenFlow protocol or Forwarding and Control Element Separation Protocol.

11. An apparatus for use in a network element, comprising: at least one processor; and at least one memory for storing instructions to be executed by the processor, wherein the at least one memory and the instructions are configured to, with the at least one processor, cause the apparatus at least to perform: evaluating whether a request for address allocation fulfills a predetermined condition, wherein the predetermined condition includes that the address allocation has been requested via one of Dynamic Host Configuration Protocol (DHCP), Remote Authentication Dial-In User Service (RADIUS), Layer 2 Tunneling Protocol (L2TP), or Point-to-Point Protocol (PPP), if it is determined that the request fulfills the predetermined condition, causing another network element in a user plane to check whether messages in the user plane comply to a preconfigured rule, wherein the preconfigured rule includes that the message in the user plane is a message conforming to one of DHCP, RADIUS, L2TP, or PPP, and causing an indication to the another network element in the user plane to reduce specific signaling messages, according to one of DHCP, RADIUS, L2TP, and PPP, related to address allocation to a controller if the messages in the user plane comply to the preconfigured rule and if a predetermined threshold has been reached, and to transmit the specific signaling messages to the controller if the predetermined threshold has not been reached, and to resume transmission of the specific signaling messages upon request from the controller if the specific threshold has been reached and the transmission has been throttled.